Is Your Practice Really HIPAA Compliant?
- Do you know that new HIPAA regulations went into effect September 2013?
- Have you updated your business associate agreements?
- Have you performed risk assessment as required by the Meaningful Use program and the HIPAA regulations?
Many practices hurry through a HIPAA checklist and then believe that they are "HIPAA compliant." But, they often skip over the details, like the first item:
"Has a Risk Analysis been completed with IAW NIST Guidelines?"
In many cases the answer is no. Yet, practices may check it off and move on. Unfortunately, that puts the practice at risk for penalties and could jeopardize the stimulus money paid under the Meaningful Use program.
The Health Insurance Portability and Accountability Act (HIPAA) requires that physician practices and other healthcare organizations maintain privacy and security standards to ensure safekeeping of protected health information (PHI). A "complete and accurate” risk assessment is required at least once per year.
Who Needs to Do an Annual Risk Assessment?
Anyone with access to PHI is required to complete an annual risk assessment, including covered entities, business associates and business associate subcontractors.
- Physician Practices
- Nursing homes
- Home health agencies
- IT companies that work in healthcare
- Medical billing companies
- Transcription companies
- Answering services
- Any company with access to protected health information
Need a Reliable Way to Do An Annual Risk Assessment?
Check out HIPAA My Way from Logan Solutions.
Think It Won't Happen to You?
The HHS Office for Civil Rights, which is tasked with enforcing HIPAA, released the following press release about action taken against a dermatology practice.
Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.